From 50,000ft, Know Your Customer (KYC) is how companies make sure they only onboard the ‘right’ customers; asking prospects a few questions about themselves, their spending habits and if they intend to send money to North Korea. Done well, it can be a short and relatively seamless experience for both institution and customer. However, KYC requirements, and therefore the KYC operating model, are rarely simple. The skill is in making it seem that way on the outside, and this is where challenger financial institutions are winning over younger generations of customers.

Effective KYC reaches deep into an organization’s data, systems, people and processes, ultimately touching nearly every layer of an operating model. Materially changing KYC is a transformational and challenging undertaking for most institutions.

What actually is KYC?

Banks are responsible for ensuring they are not handling money laundered to hide illegal activity, finance terrorism or prop up a sanctioned government. There are, unsurprisingly, significant penalties against institutions which do, not to mention the reputational damage. To minimize the risk that a customer is using the bank’s products and services for illegal or risky purposes, banks collect and check customer information not just when onboarding but throughout the relationship. The data is used to gauge the risk the customer poses to the bank, usually based on a score against a set of criteria determined by compliance. This is all part of the KYC process.

KYC is not just important to traditional financial institutions but also to challengers – banks or otherwise. Startups are not exempt. In fact, quite the opposite. Regulatory scrutiny is often greatest of those proposing a change to the status quo.

Regulatory scrutiny is often greatest of those proposing a change to the status quo.

Startups have made huge leaps on the speed and ease of the authentication process for customers by use of smart phones. Take a look at challenger bank Monzo, who are moving away from the traditional approach to authentication by adopting camera phone technology (provided by Jumio, another startup). Similarly, VeriME, a Vietnam based startup, uses a blockchain solution for authentication and verification of customers – which is currently being adopted by merchants. In both cases, smartphones are used to take photos of identification documents alongside a selfie of the customer which are submitted via an app. This enables customers to provide key information (name, date and place of birth), valid identification documents and authentication without having to speak to a representative.

However, authentication of customers is only a small part of the KYC requirement for banks. They need to collect and maintain information beyond authentication, monitor their transactions and perform regular revalidations (or recertifications) of the customers. Behind the user facing façade, there remains a great deal of complexity. Let’s dig a little deeper…

Why is KYC complex?

The type of data that needs to be collected from customers can vary greatly depending on the customer and the situation. The data you would need for a local citizen opening a current account to pay in their salary would be far simpler than what you would require of a public multinational organization headquartered in a foreign country. But these requirements can be remarkably nuanced. If the local citizen, for example, happened to talk about their holiday and a bank employee believed it was more luxurious than expected based on their account usage, then different data might be needed.

Such different datasets would, by necessity, be sourced from customers in different ways, over different time periods and likely through different front end interfaces. Some will require documentary evidence, possibly from multiple parties, who may themselves have a relationship with the bank requiring a totally different set of information. All this customer data will need to flow through the same central processes and be stored in the same databases, which need to cater for all the nuances of the different customers and business lines. That’s not to mention the customer experience challenge of adhering to so many sets of requirements without literally asking hundreds of questions…

This complexity is not specific to legacy banks. It is applicable to all financial institutions that are required to comply with international Anti Money Laundering (AML) procedures, laws and regulations. This means that while startups are likely to have more user friendly onboarding interfaces, they can still fall victim to the complexity of KYC. Even more so when they grow their customer base and geographical footprint.

While startups are likely to have more user-friendly onboarding interfaces, they can still fall victim to the complexity of KYC.

Considerations for changing the KYC operating model

Given that local regulation, parent company policy and customer analytics requirements are all subject to change – often on at least a quarterly basis – it is no surprise that KYC operating models are themselves often subject to change.

In some cases, this can be simple. It might be asking a new standalone question or adapting existing wording, such as making the collection of a customer’s middle name mandatory instead of optional. Unfortunately, more fundamental changes are far from uncommon in the KYC world. A governing body may change regulations, a new suite of products and services may go live, or an external service provider may require replacement, heralding a significant revision of the KYC operating model.

Institutions faced with the need to substantially adjust their KYC processes should avoid the temptation of a series of tactical fixes, and instead implement a pragmatic, well planned solution, building up from these design principles:

  • Working with third parties

Traditionally banks have built and maintained nearly all KYC related functions. This is because they either believe it is required from a regulatory compliance perspective (it is not), or that they have unique systems or processes and need bespoke solutions (in both cases, they don’t). Technology has enabled third parties to deliver core components of KYC. Institutions like Thomson Reuters have developed solutions to deliver end-to-end identification, screening and monitoring, based on only a few data points.

  • Focus on the data you need to collect, not the questions you need to ask

A literal translation of regulation into a question set will very likely result in a clunky solution. Focus instead on the data points behind a requirement and build for that. For example, for an individual you may need both age and date of birth, and for a corporation, stock symbol and stock exchange – but the collection of these data points can be captured by asking a single question in each scenario instead of two.

  • Build for the majority of customers

The majority of customers in most institutions will follow the “happy path” and need to provide only core information, be that individuals or corporates. Much of the complexity in a solution will be found in the data collection requirements for less straightforward customers. How do you identify whether someone is a citizen of Crimea if you only ask their country? While a fully automated solution for all customers may sound like a good aspirational goal, building a flawless process for the collection of a data point required for less than 1% of the customer population is unlikely to be a good investment.

  • Automate early

For legacy institutions a lot of their KYC compliance relies on armies of people in their back and middle offices. This is because institutions quickly become dependent on their employees knowledge, regardless of how well documented processes are, making automation a hugely challenging transformation. Startups need to ensure they automate the process right away, as depending on two people to manage KYC as a startup will result in a cost base that increases in step with the number of clients.

With the introduction of GDPR in the EU and The California Consumer Privacy Act paving the way in the US, KYC is likely to become only more complex. But if your organisation is currently undergoing KYC transformation, fear not. You are not alone in uncovering the complexity behind a seemingly simple process.